jimmoc
Premium
join:2001-12-30
Niagara Falls, NY
| Pix 501 Inside Access List?
I'm hoping someone can help me with this. Is it possible to create an access list on the inside interface that prevents one computer on the inside from accessing another computer on the inside? The pix is currently used as the gateway and dhcp server.
Here's what I'm trying to do. We have two departments connected to the same pix. I don't want one department to be able to connect to any of the computers from the other department. I realize this isn't really the correct way to go about this but unless we absolutely have to we don't want to buy more equipment. Thanks! |
|
peteway
join:2001-11-19
Baton Rouge, LA
| are they all on the same broadcast domain? I'm guessing yes, if the pix is the only layer 3 device you have. I don't think that the pix supports secondary ip addresses on the interface which would be the only way you could do it. Since (or if) they are on the same broadcast domain they will not be bouncing off the pix in order to route to other computers on the inside....so an access list would not work.
so I think the answer is no. |
|
nd_tech
join:2003-04-10
Troy, MI | reply to jimmoc
describe your network a little more. I'm guessing you have 2 departments plugging into the same switch, then the switch is going to the pix, if that is the case, then no, an access-list will not work. |
|
jimmoc
Premium
join:2001-12-30
Niagara Falls, NY
| 2 departments. I don't want Department A to access Department B but I don't care if Department B accesses Department A. One plugs directly into the pix (Dept B) and the other plugs into a switch (Dept A) and from their into the pix. It sounds like it won't work but I wasn't sure. I'm thinking I would probably need a router or something to segregate the one network off.
Here's the thing. One of our vendors needs access (PC Anywhere) to a server in Department A from the internet. I am against opening the ports up and allowing them this access but I've been over-ruled. I'm trying to convince them to only allow it when we initiate the connection which would avoid me having to open any ports. In case I don't win that battle I'm also trying to find a way to prevent anyone from accessing the computers in Department B when they are connected to that server in Department A. |
|
doctorcisco
join:2002-10-30
Aurora, IL
| You may wish to consider setting up Cisco VPN client access on the PIX, and have the vendor bring up a VPN session before using PC Anywhere to that box. Then use an ACL to permit PC Anywhere traffic into the outside interface only from the address range you give out to the VPN clients (192.168.x.x or whatever).
doc |
|
jimmoc
Premium
join:2001-12-30
Niagara Falls, NY
| That's a good idea on the VPN. Hadn't thought of that but once they are in and connected to that PC they can go where ever they wanted from that pc. I was thinking if we had to initiate the PC Anywhere connection to them each time at least we would know when they are connected. |
|
aryoba
Premium,MVM
join:2002-08-22
2 edits | If you use the PIX handling the VPN, you can use AAA to restrict clients' access. This is the standard way that comes with VPN. However the catch is that you have to setup AAA server 
As to the PIX physical connections, I can see that you need a PIX with at least three interfaces; one interface goes to the Internet, one goes to Dept. A, and one goes to Dept. B. The Internet's PIX interface security level is 0 (outside interface), B is 100 (inside interface), and A is (let's say) 50 (DMZ interface). |
|
